While the deployment and maintenance of a Syslog server is not within the purview of the Layer 7 Technologies Customer Support group, we can provide some simple instructions for how to configure a syslog server to receive logs from remote systems. This document only provides instruction for the `rsyslog` application which comes pre-packaged with the Layer 7 Gateway. For more assistance on deploying and configuring other syslog tools, please contact Layer 7 Technologies Professional Services.

All supported versions of the API Gateway

The Syslog server package with the Gateway is configured via the file located at /etc/rsyslog.conf.

To enable the receipt of remote log files via "UDP", please add or uncomment the following from the Syslog server configuration file:
$ModLoad imudp
$UDPServerRun 514

To enable the receipt of remote log files via "TCP", please add or uncomment the following from the Syslog server configuration file:
$ModLoad imtcp
$InputTCPServerRun 514

For both of these blocks, the value "514" corresponds to the port used by the Syslog server. This value can be adjusted as necessary but is not recommended, as port 514 is the port assigned to Syslog by the IANA.

You will also need to ensure that your Syslog server contains a directive that will handle messages incoming from the Gateway. As a short primer, logs processed by a Syslog server are sorted and saved based upon two properties: The severity and the facility. The severity of a log is dictated by the severity level assigned to the log message generated by an application. They are assigned the following values:

1. debug
2. info
3. notice
4. warning
5. crit
6. alert
7. emerg

The facility is used to provide a general indicator of what application a log originated from. They are assigned the following values:

1. auth
2. authpriv
3. cron
4. daemon
5. kern
6. lpr
7. mail
8. news
9. syslog
10. user
11. uucp
12. local0 through local7

The combination of these two items is used to create a directive that instructs the Syslog server how to route or store a message. By default, rsyslog has the following directive:
authpriv.* ? /var/log/secure

This example indicates that logs sent via the authpriv facility (a Linux facility used for user authentication to the appliance) of all severity levels are sent to a specific regular file. Gateway logs can be configured to use the local0 through local7 facilities. The facility used for a particular log file are configured in the Manage Log/Audit Sink task within the Layer 7 Policy Manager. We will discuss configuring those items next.

Configuring the Layer 7 Gateway

The Layer 7 Gateway can be configured to send certain log entries to specific Syslog servers with a certain facility. To configure this behavior, log into the Gateway via the Layer 7 Policy Manager as an administrative user. Once logged in, select the Manage Log/Audit Sinks task from the Tasks menu.

Within that dialog, you have the capability of creating new log sinks based on certain filters--filters such as category, host name, service policy, and other attributes of an error message. For more information on how specifically to create a log sink, please refer to the section titled Managing Log Sink in the Layer Policy Manager User Manual.

When configuring a log sink to sent to a syslog server, ensure that the Type is set to Syslog. This will enable the Syslog Settings tab and disable the File Setting tab. Within the new tab, you can configure server hostname or IP address and the facility that the log files will be transmitted via. This facility number will correspond to the facility number used in the Syslog directive on the Syslog server.

Creating a new log sink

1. Log into the Layer 7 Policy Manager as an administrative user.
2. Open the Manage Logs/Audit Sinks task.
3. Create a new log sink.
4. Provide a Name and Description.
5. Set the Type to Syslog.
6. Open the Syslog settings tab.
7. Set the Protocol to UDP.
8. Add a host server via IP address or host name.

At this point, you should be able to send a test message to the configured Syslog server destination. If it fails, there may be intermediary networking devices blocking the traffic from the Gateway to the Syslog server if it is located in another network segment.